Active Exploitation Alert Dec 14, 2025 3 min read ← All posts

Apple Urgently Patches WebKit Zero-Day Vulnerabilities Exploited in Targeted Attacks Affecting iOS, macOS, and Safari

Apple Urgently Patches WebKit Zero-Day Vulnerabilities Exploited in Targeted Attacks Affecting iOS, macOS, and Safari

Apple Issues Security Updates After Two WebKit Flaws Found Exploited in the Wild

Date: December 13, 2025Prepared by: Rescana OSINT Cybersecurity Research Team

Executive Summary

Apple has released emergency security updates to address two zero-day vulnerabilities in WebKit, the browser engine powering Safari and all browsers on iOS. Both vulnerabilities (CVE-2025-43529 and CVE-2025-14174) have been confirmed as exploited in the wild in highly targeted, sophisticated attacks. The flaws affect a wide range of Apple devices, including iPhones, iPads, Macs, Apple Watch, Apple TV, and Vision Pro. Google has also patched the same vulnerability in Chrome for Mac, indicating a coordinated disclosure.

Vulnerability Details

1. CVE-2025-43529

  • Type: Use-after-free in WebKit
  • Impact: Remote Code Execution (RCE) via malicious web content
  • Discovery: Google Threat Analysis Group
  • Affected Devices:
  • iPhone 11 and later
  • iPad Pro 12.9-inch (3rd gen and later)
  • iPad Pro 11-inch (1st gen and later)
  • iPad Air (3rd gen and later)
  • iPad (8th gen and later)
  • iPad mini (5th gen and later)
  • macOS, tvOS, watchOS, visionOS, Safari

2. CVE-2025-14174

  • Type: Out-of-bounds memory access in ANGLE (WebKit/Chrome)
  • Impact: Remote Code Execution (RCE) via crafted HTML page
  • Discovery: Apple Security Engineering and Architecture (SEAR) and Google Threat Analysis Group
  • CVSS v3.1 Score: 8.8 (High)CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CWE: CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
  • References:
  • NVD Entry
  • CISA KEV Catalog
  • Chrome Advisory
  • Chromium Issue Tracker

Exploitation in the Wild

  • Nature of Attacks:
  • Apple and Google both report "extremely sophisticated" and "highly targeted" exploitation, likely by advanced threat actors (APT).
  • Attacks were observed against specific individuals, not mass exploitation.
  • Exploitation occurred on iOS versions prior to iOS 26.
  • The attack chain is consistent with spyware delivery, leveraging malicious web content to trigger RCE.
  • APT/Threat Actor Attribution:
  • No public attribution to a specific APT group as of this report.
  • The use of WebKit zero-days in targeted attacks is consistent with past campaigns by state-sponsored actors (e.g., NSO Group, APT41, APT28), but no direct evidence links these groups to the current exploitation.
  • Indicators of Compromise (IOCs):
  • No public IOCs have been released by Apple or Google as of this report.
  • Exploitation is triggered by visiting a malicious or compromised website.

Technical References & Proof-of-Concepts

  • Apple Security Bulletin:Apple Security Updates
  • BleepingComputer Coverage:Apple fixes two zero-day flaws exploited in 'sophisticated' attacks
  • CISA KEV Catalog:CVE-2025-14174
  • Chromium Issue Tracker:466192044
  • Reddit Community Discussion:Apple fixes two zero-day flaws in iOS exploited in targeted attacks

MITRE ATT&CK Mapping

  • Tactic: Initial Access (TA0001)
  • Technique: Drive-by Compromise (T1189)
  • Sub-technique: Exploit Public-Facing Application (T1190)
  • Potential Use: Delivery of spyware or surveillance malware via malicious web content.

Mitigation Strategies

  • Immediate Action:
  • Apply the latest Apple security updates: iOS/iPadOS 26.2, 18.7.3
  • macOS Tahoe 26.2
  • tvOS 26.2
  • watchOS 26.2
  • visionOS 26.2
  • Safari 26.2

For Chrome on Mac, update to version 143.0.7499.110 or later.

CISA Guidance:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Additional Notes

  • No public PoC exploits have been released as of this report.
  • No mass exploitation has been observed; attacks are highly targeted.
  • No confirmed breach disclosures from organizations, but individuals targeted may be at risk of surveillance or data theft.

References

  • Apple Security Updates
  • BleepingComputer Article
  • NVD CVE-2025-14174
  • CISA KEV Catalog
  • Chromium Issue Tracker
  • Reddit Discussion

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and risk analytics empower security teams to proactively defend against emerging threats and ensure the resilience of their business operations. For more information or to discuss how our solutions can enhance your security posture, we are happy to answer questions at ops@rescana.com.

Recent Posts

See All →
For retailers: Suppliers of POS, OMS and CRM systems are not ‘Third Party’, they are actually ‘Teammates’
Mar 26, 2026
For retailers: Suppliers of POS, OMS and CRM systems are not ‘Third Party’, they are actually ‘Teammates’
Intuitive Surgical Administrative Network Breach: 2026 Phishing Attack Exposes Employee and Customer Data
Mar 18, 2026
Intuitive Surgical Administrative Network Breach: 2026 Phishing Attack Exposes Employee and Customer Data
Critical AI Vulnerabilities in Amazon Bedrock, LangSmith, and SGLang Enable Data Exfiltration and Remote Code Execution
Mar 18, 2026
Critical AI Vulnerabilities in Amazon Bedrock, LangSmith, and SGLang Enable Data Exfiltration and Remote Code Execution